everythingpossible - Fotolia

Q
Problem solve Get help with specific problems with your technologies, process and projects.

What will GDPR data portability mean for enterprises?

Enforcement of the EU's Global Data Protection Regulation is coming soon. Mimecast's Marc French discusses the big questions about GDPR data portability for enterprises.

Data portability may be near the bottom of the list of key challenges with the European Union's new General Data Protection Regulation, but it is one more hoop that information security professionals will need to find a way to jump through. Data portability may seem simple to implement, but even the simplest aspect of GDPR can still produce surprising challenges.

Under Article 20, GDPR data portability is the right of EU data subjects -- citizens or residents of any EU member nation -- "to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided," as specified in the new regulation.

It may seem simple in theory, but the practice of complying with GDPR data portability may have some unexpected twists, especially for businesses that track lots of consumer data, like search engines, social media sites and retail websites.

Marc French, senior vice president, chief trust officer and data protection officer for GDPR compliance at Mimecast, a cloud email security company headquartered in Lexington, Mass., explained just what it will take to comply with the new GDPR data portability requirement, and the state of standards for formatting data to comply with the law.

Marc French: This is the one where the way the regulation reads it is, 'I have the ability for me to take my data with me to someone else.'

Now, there's two kinds of sticky wickets with this. One is, what does it mean to take your data with you, to where? And two, what time frame is actually outlined to get the data out?

Marc French, Mimecast CTOMarc French

If I go to Google and say, 'I want data portability, so I want you to take my search queries out,' they could probably generate that data somehow. It's unclear what format [the data would be in] because there's no central format for portability; that didn't get baked into the regulation. So every one of these vendors is going to give you something different.

And then, to what end? Say you produce for me a CSV file and I'm going to put it over to Bing. What does it mean to put it over to Bing? To what end are you actually going to port it out, and how does Bing ingest that? Is Bing going to force you to reformat that text file into an XML file so it can load it into their environment?

This is the one I think that is the most open ended now because there's really no guidance as to the formatting and the targets.

And then there's also no guidance around how long is it going to take? It [Article 20] says 'as soon as feasibly possible.' What happens if feasibly possible is six months? There really hasn't been any guidance yet as to how long it would take you.

So say you're an avid searcher, and you've got seven petabytes worth of data in Google; how long is it going to take for Google to get that out from a portability perspective, and is there an expectation that the production of anything of any size is free? Because if I had to generate seven petabytes, I don't know that I could push that to you over a bandwidth pipe. I might have to send you a CD. All those things, right now, are completely up in the air from my perspective.

I see a lot of folks, [including] my peers out there, basically holding on the portability side because it's so ambiguous right now. They don't know where to invest or how to do it because of all those open items, so a lot of folks are pushing that to the back burner until they produce much more guidance around it. They don't know how to service it, they don't know what the target is and they don't know what the time frames are. So there are so many open-ended questions now that most people are just kind of in a waiting pattern.

[As for new standards for GDPR data portability], I haven't seen anything. We'll probably arrive at some kind of reasonableness from a time frame perspective, but I'm not sure that I've seen anything or heard anything about, 'everybody's going to produce a CSV file,' as an example, in comma-separated format. I haven't seen anything like that on any of the wires or any of the guidance or any of the conversations I've had.

This was last published in March 2018

Dig Deeper on Data privacy issues and compliance

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

5 comments

Send me notifications when other members comment.

Please create a username to comment.

What have you done to prepare for responding to GDPR right to data portability requests?
Cancel
I raised this issue during the consultancy stage, but go no response. The bigger issue to me was that there's no definition of the semantics of the data. Even simple things like 'Name' have several representations, and few models make the distinction between the Name used as an identifier on official documents and the Names used to address a persons in different circumstances.

I gave up with the EU and decided that I'd run some trial DSARs to confirm that the taxonomies used by data controllers are fit for purpose, otherwise they'll be in breach of the principle of getting the data accuracy correct.
Cancel
Who should be defining the semantics of the data, and how should they be doing it? 

Would it be better to try to spell everything out ahead of time, and risk missing some important issues, or to allow the principles be refined over time as issues arise?
Cancel
No one should. The tacit assumption in GDPR that it's been done and there's a widely shared taxonomy/schema/ontology is wrong.

I'm with the lawyer at a magic circle firm who estimated 20 years for the legals to become clear enough to be useful.
Cancel
I'd love to hear more about this, it seems important to understand. Would you be willing to go into more detail for publication?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close